Last updated: 19th November 2025
Controller for processing on this website and the marketplace within the meaning of the GDPR:
Coderizo LLC
7901 4th Street North, STE 300
St. Petersburg, Florida 33702
United States of America
Email: contact@coderizo.com
Rapid/direct contact: contact form
Phone: +1 813 694 8335
EU representative pursuant to Art. 27 GDPR
Martin Schlotfeldt
Hinter dem Dorfe 3
31234 Edemissen
Germany
Email: dsa@coderizo.com
Tel.: +49 1567 9039512
No Data Protection Officer has been appointed because the legal criteria under Art. 37 GDPR and § 38 BDSG are not met.
B2B notice: Our services are offered exclusively to business customers. We may process personal data of customer/vendor contact persons (e.g., name, business email, phone, role) for contract initiation and performance.
EU data subjects may also contact our Art. 27 representative for GDPR matters.
We process our visitors’ / customers’ personal data only to the extent necessary to provide a functional online shop and our content and services. Processing is carried out on the basis of the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and other applicable legal provisions.
Our shop is hosted by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. We have concluded a data processing agreement pursuant to Art. 28 GDPR with Hetzner. In the course of hosting, all data that are necessary for the operation and delivery of our online service are processed (website content, databases, uploads, meta/communication data, server logs). The legal basis is Art. 6 (1)(f) GDPR (legitimate interests in secure and efficient provision of our online service) and, where a contract with you exists, Art. 6 (1)(b) GDPR.
Each time our website is accessed, our system automatically collects data and information from the computer system of the calling device:
The data are stored in log files for 30 days and then automatically deleted. The legal basis is Art. 6 (1)(f) GDPR (legitimate interest in the technical stability and security of the server).
We use only technically necessary cookies:
| Cookie | Purpose | Storage period |
|---|---|---|
coderizo_session | User session ID | End of session / 2 hours of inactivity |
XSRF-TOKEN | Protection against cross-site request forgery | End of session / 2 hours of inactivity |
laravel_cookie_consent | Cookie notice acknowledged | 400 days |
_GRECAPTCHA | Spam protection (Google reCAPTCHA) | 6 months |
No consent under Art. 6 (1)(a) GDPR is required for these technically necessary cookies. We do not use analytics, tracking or marketing cookies.
To secure registration and the contact form we use Google reCAPTCHA (currently v3) provided by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). The service distinguishes whether an input is made by a human or improperly by automated processing, thus protecting our systems from spam and attacks. The legal basis is Art. 6 (1)(f) GDPR (legitimate interest in protecting our online services).
In the course of the check, technical and usage information (e.g. IP address, time spent on the page, mouse/keyboard interactions) is transmitted to Google; transfer to Google LLC in the USA may occur. Google LLC participates in the EU–US Data Privacy Framework (DPF). Where required, we additionally rely on the EU Commission’s Standard Contractual Clauses (Art. 46 GDPR).
We load reCAPTCHA only on pages or interactions where protection is required. Where Google sets any non-essential cookies in specific implementations, we obtain consent in the EEA before activation.
Google acts as an independent controller for providing this security service. Further details are available in Google’s Privacy Policy and Terms of Service.
When you create a customer account, we process the following data:
Mandatory details for a B2B invoice (e.g. company name, VAT ID no., billing address) are also collected when an order is placed. The legal basis is Art. 6 (1)(b) GDPR (contract initiation and performance).
For vendors who list plugins on our marketplace, we collect and verify business information (e.g., company name, address, contact details, payment account details, tax/VAT numbers, and evidence supporting the business identity) in order to set up and administer the vendor account, prevent abuse/fraud, and meet marketplace compliance expectations. The legal bases are Art. 6 (1)(b) GDPR (contract) and Art. 6 (1)(f) GDPR (our legitimate interests in safeguarding platform integrity and preventing fraud). Data are retained for the duration of the vendor relationship and statutory retention periods.
Vendor identity verification is conducted in line with Article 30 DSA (trader traceability). Vendors must keep information accurate and up to date.
To ensure that we contract exclusively with business customers, we verify business status at sign-up/checkout. For this purpose we process company name, legal form, business address, VAT ID or comparable tax/registration number (where applicable), domain-based business email, website/imprint information and public-register entries. We may perform automated VAT checks (e.g., VIES) and manual reviews of public sources.
Legal bases: Art. 6(1)(b) GDPR (pre-contractual steps/contract) and Art. 6(1)(f) GDPR (legitimate interests in preventing misuse/fraud and complying with our B2B-only terms).
Retention: For unsuccessful sign-ups or rejected orders, verification data are retained for up to 6 months (evidence of due diligence), then deleted unless statutory retention requires longer; for customers, data are retained for the duration of the account plus statutory retention periods.
During the subscription term, we may conduct proportionate checks to verify an active service term, instance eligibility and compliance with our terms. For this purpose we process limited account metadata (e.g., account/instance identifiers, subscription status), technical event data and audit logs, strictly to the extent necessary to enforce our terms and protect security, privacy and confidentiality.
Legal basis: Art. 6(1)(f) GDPR (legitimate interests in contract enforcement, platform integrity and security).
Retention: Log/audit records used for checks are retained for up to 12 months unless required longer to establish, exercise or defend legal claims.
We process reports (e.g., IP infringement, illegal content) and related correspondence to review, action and document notices, counter-notices and repeat-infringer measures. Processed data may include your contact details, role, report content, URLs, technical identifiers and our internal assessment notes.
Legal bases: Art. 6(1)(c) GDPR (legal obligations under the EU Digital Services Act, where applicable) and Art. 6(1)(f) GDPR (legitimate interests in maintaining platform integrity and defending legal claims).
Retention: Case files are kept for 24 months after closure (or longer where necessary for legal defense) and then deleted or anonymized.
Contact points under the DSA are listed in our Imprint.
Coderizo qualifies as a micro enterprise under the EU SME definition (fewer than 10 employees and ≤ EUR 2 million annual turnover/balance sheet). Accordingly, the additional obligations for online platforms in Section 3 DSA and those for online marketplaces in Section 4 DSA do not apply to us while we remain micro/small (Articles 19 and 29 DSA). Core intermediary duties (e.g., terms transparency, notice-and-action, statements of reasons) continue to apply. We will update this notice if our status changes.
We process payments via Stripe. Because we use a Stripe US account, payment data are transmitted to Stripe, Inc., 354 Oyster Point Boulevard, South San Francisco, CA 94080, USA. Depending on your location and the product used, certain processing may also be carried out by Stripe Payments Europe, Limited (SPEL) (Ireland) – see Stripe’s Privacy Center for details on which Stripe entity is responsible in a given scenario.
Processed data typically include transaction details (amount, currency, method), masked card data, name, billing address, IP address, device data and fraud-prevention signals. Stripe may act as our processor and/or as an independent controller for risk, compliance and regulatory purposes.
Stripe may combine signals it collects in connection with our transactions with fraud-prevention data it processes as an independent controller.
International transfers: Transfers to the USA occur. Stripe, Inc. participates in the EU–US Data Privacy Framework (DPF); where required, Stripe also relies on the EU Commission’s Standard Contractual Clauses (SCCs). Further information is available in Stripe’s Privacy Center.
Legal bases: Art. 6 (1)(b) GDPR (payment processing for the contract) and Art. 6 (1)(f) GDPR (fraud prevention and platform security). Retention: Payment records are stored for 10 years to comply with statutory retention requirements.
We generate invoices and manage accounting records directly within our platform. For this purpose, we process billing and contract data (e.g., company name, address, VAT ID, contact details, order details, invoice number, amounts, payment status, and related audit trails). Where applicable, documents may contain the name and business contact details of your contact person.
Legal bases: Art. 6 (1)(b) GDPR (performance of the contract) and Art. 6 (1)(c) GDPR (compliance with statutory tax/commercial retention obligations).
Retention: Invoice and accounting data are retained for 10 years in accordance with applicable statutory requirements (e.g., where relevant, § 147 AO, § 257 HGB, or comparable laws).
Storage/Transfers: Data are stored on our own systems as described under “Hosting”. No third-country transfers occur for invoicing/accounting beyond those described under “Payment Processing (Stripe)”.
Where an Extension processes data in your own Shopware environment or connects to services of a Coderizo Extension Partner, you and/or the respective Partner act as independent controllers for such processing. In these cases, the Partner’s privacy notice applies to their service. We do not control or monitor processing in your own Shopware environment.
When you use our contact form, we process:
The data are processed to handle your enquiry. The legal basis is Art. 6(1)(b) GDPR where the request relates to contract initiation or performance, otherwise Art. 6(1)(f) GDPR (our legitimate interest in efficient support). Support emails are archived for 6 years in accordance with applicable statutory retention requirements (e.g., tax/commercial law).
If you subscribe to our newsletter, we process your email address on the basis of your consent (Art. 6(1)(a) GDPR). We use a double-opt-in procedure. We log the subscription and confirmation (time, IP address, confirmation token/hash, and the text of the opt-in) in order to comply with our legal obligation to be able to demonstrate consent (Art. 6(1)(c) GDPR in conjunction with Art. 7(1) GDPR; for Germany also § 7(2) UWG).
You can withdraw consent at any time via the unsubscribe link in each email with effect for the future. Retention: We delete unconfirmed double-opt-ins after 30 days. Confirmed consent logs are retained for up to three (3) years after the end of the calendar year in which you withdraw consent or last received a newsletter (whichever is later), to fulfil documentation duties and to assert or defend legal claims (Art. 17(3)(e) GDPR). We also keep a minimal suppression list (email address only) to ensure no further emails are sent after an objection or withdrawal (Art. 6(1)(f) GDPR).
If specific retention periods are stated in individual sections (e.g., logs, invoicing, support, notices), those periods take precedence. Otherwise, we delete or anonymize personal data when the purpose no longer applies and no statutory retention prevents deletion.
Without prejudice to other administrative or judicial remedies, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement.
Supervisory authority for matters relating to our EU representative:
Die Landesbeauftragte für den Datenschutz Niedersachsen (LfD Niedersachsen)
Prinzenstraße 5, 30159 Hannover, Germany
Tel.: +49 511 120-4500 — www.lfd.niedersachsen.de
Our services are intended for business users. We do not knowingly offer services to, or target, children under the age of 16.
Where service providers in the USA are involved (e.g., Google LLC, Stripe, Inc.), we rely—where available—on the EU–US Data Privacy Framework certification of the respective US entity; where this is not sufficient for the specific transfer, we additionally use the EU Commission’s Standard Contractual Clauses (Art. 46 GDPR) and implement supplementary measures as needed. For transfers to the United Kingdom, we rely on the UK adequacy regulations and/or the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs, as applicable.
You have the rights of access, rectification, erasure, restriction, data portability and to lodge a complaint (see Section 18). Where we process personal data based on our legitimate interests (Art. 6(1)(f) GDPR), you have the right to object on grounds relating to your particular situation (Art. 21 GDPR). Where processing is based on consent, you may withdraw it at any time with effect for the future.
To exercise your rights, contact us or our EU representative using the details in Section 1.
We respond to requests without undue delay and within one month pursuant to Art. 12(3) GDPR (extendable by two months where necessary, with notice).
You have the right to object at any time to processing of personal data for direct marketing (Art. 21(2) GDPR).
We implement appropriate technical and organizational measures (including access controls, encryption in transit, least-privilege access and logging) to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.
We reserve the right to amend this privacy policy so that it always complies with current legal requirements or to implement changes to our services. The version published at the time of your visit shall apply.